KVM Bridge Network

Bridge Network KB ID 0001891

Problem

Not sure why KVM does not come preconfigured for this out of the box, and it took me a very long time to work out how to do this. But if you want your KVM VMs to behave as if they are on your production LAN (rather than the default of setting up DHCP and NAT). The default is fine but if you want to access your VMs from outside the host you need to setup bridged networking.

In my example I want my VMs to get an IP address from my DHCP server.

Solution : Bridge Network

Currently you probably have an IP address on the host itself (192.168.100.20) the process is to create a network bridge, Move the IP address from your network interface so that it is now ON THE BRIDGE, add the network interface to the bridge, then finally move the VMs onto the bridge.

The following commands with display your current virtual networks, and current bridges, then we will create a new bridge (br0), and finally make sure that new switch is listed.

[box]

virsh net-list --all
brctl show
sudo brctl addbr br0
brctl show

[/box]

We need to change the IP address location so edit your current netplan.

[box]

ls /etc/netplan
TAKE NOTE OF THE NAME
sudoedit /etc/netplan/{name-of-netplan-file}.yaml

[/box]

Edit Netplan

Example (Note: you will need to enter YOUR details and your interface mat have a different name e.g. eth0)

[box]

network:
  version: 2
  renderer: networkd

  ethernets:
    ens33:
      dhcp4: false 
      dhcp6: false 

  bridges:
    br0:
      interfaces: [ens33]
      addresses: [192.168.100.20/24]
      routes:
      - to: default
        via: 192.168.100.1
        metric: 100
        on-link: true
      mtu: 1500
      nameservers:
        addresses: [192.168.100.10,192.168.100.3]
      parameters:
        stp: true
        forward-delay: 4
      dhcp4: no
      dhcp6: no

[/box]

Save and exit the file.

Now we need to exempt traffic going through the bridge from being sent though the netfilter (i.e. for iptables inspection).

[box]

sudoedit /etc/sysctl.d/bridge.conf

[/box]

Paste in the following text, then save and exit.

[box]

net.bridge.bridge-nf-call-ip6tables=0
net.bridge.bridge-nf-call-iptables=0
net.bridge.bridge-nf-call-arptables=0

[/box]

Those settings would be lost in a reboot, to make them permanent.

[box]

sudoedit /etc/udev/rules.d/99-bridge.rules

[/box]

Paste in the following, then save and exit.

[box]

ACTION=="add", SUBSYSTEM=="module", KERNEL=="br_netfilter", \ 
RUN+="/sbin/sysctl -p /etc/sysctl.d/bridge.conf"

[/box]

Now we will delete and undefine the built in default network.

[box]

virsh net-list --all
virsh net-destroy default
virsh net-undefine default
virsh net-list --all

[/box]

Now before we apply the netplan we created earlier take a look, our IP address is currently on interface ens33 when we have finished it will move to the br0 network.

[box]

ip addr
sudo netplan apply

[/box]

Now check again, and ensure the bridge now has the IP address.

[box]

ip addr

[/box]

We are now going to define the bridge, sudoedit won’t work in the home directory so I’m using vi instead.

[box]

vi host-bridge.xml

[/box]

Text

Paste in the following, then save and exit (Esc > wq!)

[box]

<network>
  <name>host-bridge</name>
  <forward mode="bridge"/>
  <bridge name="br0"/>
</network>

[/box]

From the file we just created, we will define the new bridge network, start the network, then set it to autostart with the host, then finally we make sure its defined and listed.

[box]

virsh net-define host-bridge.xml
virsh net-start host-bridge
virsh net-autostart host-bridge
virsh net-list --all

[/box]

Connecting VMs to the Bridge Network

List the registered VMs, then edit the VM you want to change.

[box]

virsh list all
virsh edit {VM-Machine-Name}

[/box]

Locate the source network= section and change it from default .

To host-bridge then save and exit the file.

I manage my VMs with Cockpit, and they were working fine, but they were asking to be restarted. I did that with mixed results. (some worked others didn’t).

I had 100% success by removing the old network connections, and adding a new one like so, this was for an Ubuntu guest VM (Note: if it’s a Windows VM, use a e1000e model card instead).

Related Articles, References, Credits, or External Links

Install Ubuntu KVM

Cisco ASA 5506-X: Bridged BVI Interface

KB ID 0001422

Problem

When the ASA 5506-X appeared there was much grumbling, “This is not a replacement for the ASA 5505, I need to buy a switch as well!”  and “I have six ports on the firewall I cant use” etc.

While I understand that, and if truth be told the ASA 5505, was SUPPOSED to be used in SOHO environments where an all in one device, (with PoE) was a great fit. The problem was, people started throwing them in everywhere, I’ve seen them in large businesses, and in data centres. Because it’s easier to sell a firewall that cost less than 500 quid, than it is to sell a firewall that fits the network requirements! 

To ‘fix’ the problem would probably mean changing hardware, so Cisco gave us a BVI, Bridge Virtual Interface instead (with version 9.7). Well not strictly true, Cisco ASA has had BVI interfaces in ‘transparent mode‘ for some time. So on the ASA 5506-X with a default configuration, it ‘Bridges’ interfaces Ge0/2 to Ge0/8, into one interface which you can call the inside interface an give it an IP address.

Oh Great! So Just Like an ASA5505 Then? Well no sorry, I don’t like it because it needs an access-group/ACL for each bridged interface, and a NAT statement for each bridged interface. Unless you have a very simple network that can get very complicated, very quickly! Also note, the same holds true for remote management via SSH/ADSM etc.

Changes to ASA for BVI Interface

I’ll shorten the default firewall config and show you the ‘added commands’ that are used for this configuration.

[box]

!
interface GigabitEthernet1/2
 bridge-group 1
 nameif inside_1
 security-level 100
!
interface GigabitEthernet1/3
 bridge-group 1
 nameif inside_2
 security-level 100
!
interface GigabitEthernet1/4
 bridge-group 1
 nameif inside_3
 security-level 100
!
interface GigabitEthernet1/5
 bridge-group 1
 nameif inside_4
 security-level 100
!
interface GigabitEthernet1/6
 bridge-group 1
 nameif inside_5
 security-level 100
!
interface GigabitEthernet1/7
 bridge-group 1
 nameif inside_6
 security-level 100
!
interface GigabitEthernet1/8
 bridge-group 1
 nameif inside_7
 security-level 100
!
interface BVI1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
same-security-traffic permit inter-interface
!
object network obj_any1
 subnet 0.0.0.0 0.0.0.0
object network obj_any2
 subnet 0.0.0.0 0.0.0.0
object network obj_any3
 subnet 0.0.0.0 0.0.0.0
object network obj_any4
 subnet 0.0.0.0 0.0.0.0
object network obj_any5
 subnet 0.0.0.0 0.0.0.0
object network obj_any6
 subnet 0.0.0.0 0.0.0.0
object network obj_any7
 subnet 0.0.0.0 0.0.0.0
!
mtu outside 1500
mtu inside_1 1500
mtu inside_2 1500
mtu inside_3 1500
mtu inside_4 1500
mtu inside_5 1500
mtu inside_6 1500
mtu inside_7 1500
!
object network obj_any1
 nat (inside_1,outside) dynamic interface
object network obj_any2
 nat (inside_2,outside) dynamic interface
object network obj_any3
 nat (inside_3,outside) dynamic interface
object network obj_any4
 nat (inside_4,outside) dynamic interface
object network obj_any5
 nat (inside_5,outside) dynamic interface
object network obj_any6
 nat (inside_6,outside) dynamic interface
object network obj_any7
 nat (inside_7,outside) dynamic interface
!
http 192.168.1.0 255.255.255.0 inside_1
http 192.168.1.0 255.255.255.0 inside_2
http 192.168.1.0 255.255.255.0 inside_3
http 192.168.1.0 255.255.255.0 inside_4
http 192.168.1.0 255.255.255.0 inside_5
http 192.168.1.0 255.255.255.0 inside_6
http 192.168.1.0 255.255.255.0 inside_7
!

[/box]

Yes I’m not making it up, that’s the added default config for a new 5506-X firewall, (post version 9.7) if you issue a configure factory-default, that’s what you will get! (Don’t panic: If you upgrade a firewall it wont add this in!) 

Is That What You Wanted?

Well if you are a small business and make very little changes to the firewall then this may be fine, (if a little cumbersome to setup). But to be honest I think its pretty bobbins! So I’ll be ripping it out of every 5506-X I deploy.

ASA 5506-X Remove the BVI Interface From CLI

First you have to remove the bridge group from the physical interfaces, but first you need to remove the interface name, or it will error. Obviously connect via the console cable, or from the outside interface, (because you’re about to remove the configured inside interface, until we recreate it again).

[box]

!
interface GigabitEthernet1/2
 no nameif
 no bridge-group 1
interface GigabitEthernet1/3
 no nameif
 no bridge-group 1
interface GigabitEthernet1/4
 no nameif
 no bridge-group 1
interface GigabitEthernet1/5
 no nameif
 no bridge-group 1
interface GigabitEthernet1/6
 no nameif
 no bridge-group 1
interface GigabitEthernet1/7
 no nameif
 no bridge-group 1
interface GigabitEthernet1/8
 no nameif
 no bridge-group 1
!

[/box]

Only now can you remove the BVI interface.

[box]

clear configure interface BVI1
WARNING: DHCPD bindings cleared on interface 'inside', address pool removed
WARNING: BVI interface 1 is in use.

[/box]

Note: The BVI1 interface will now disappear from the config, (if you’re used to working on routers it’s a bit like removing a loopback interface). Now Remove the ‘defunct’ object groups that were being used for NAT.

[box]

no object network obj_any1
no object network obj_any2
no object network obj_any3
no object network obj_any4
no object network obj_any5
no object network obj_any6
no object network obj_any7

[/box]

Assuming your outside Interface (GigabitEthernet0/1) is still up and connected, (by default it will be set to DHCP and also set to get its outside automatically). You would then need to configure an ‘inside’ interface (I’ll use GigabitEthernet0/2) and specify a NAT/PAT rule to allow traffic out.

[box]

!
interface GigabitEthernet1/2
 nameif inside
 security-level 100
 ip address 192.168.1.254 255.255.255.0
!
object network OBJ-NAT-ALL
 subnet 0.0.0.0 0.0.0.0
 nat (inside,outside) dynamic interface
!

[/box]

That gets everything up and connected, (all traffic out allowed, and all traffic in (initiated from outside) is blocked)).

ASA 5506-X Remove the BVI Interface From CLI

Configuration > Device Setup > Interface Settings > Interfaces > Select interface 1/8 > Edit.

Remove the Interface name > OK >OK.

Change the Bridge Group to ‘None’ > OK.

Repeat for interfaces 0/7 to 0/2 > Apply.

Select BVI1 > Delete > Yes.

Configuration > Firewall > Objects > Network Objects/Groups > obj_any1 > Delete > Repeat for tall the other objects.

Save the changes.

 

Related Articles, References, Credits, or External Links

NA

Batch Resizing and Batch Renaming Images in Photoshop

KB ID 0000597 

Problem

I have to do this quite a lot, I take a lot of screen-shots for the site, and have to resize them down, (usually to 550 pixels) so that, they fit with the layout. In addition I scale the larger screenshots down to 900 pixels for the images I Hyperlink to. This means I spend a long time in Photoshop messing about with image sizes. The smaller of the two images you see on the site nearly always has the same name, but has an ‘s’ on the end.

So If I can batch resize and batch rename these files I will save myself a LOT of time.

Solution

In Photoshop ,you can record an ‘action” of you resizing an image then ‘Batch process’ that action on a lot of images, but I find that ‘clunky’ and sometimes it simply will not do what I want it to do! So I use Adobe Bridge instead.

Batch Resize Images in Photoshop

1. Open Photoshop and select File > Browse in Bridge.

2. Browse to the location/folder containing your images and select them > Tools > Image Processor.

3. Select a folder to save the altered images to (Note: Even if you select the same location it creates a folder in that location and puts the changed images in that new folder – don’t panic). set the width to your required size, (the height will resize on an image-per-image basis). To start press ‘Run’.

Batch Resize and Rename Images in Photoshop

1. Now I want to create my ‘Thumbnails”, as before open the Image Processor.

2. This time I want my images 550 px wide (Note: For a thumbnail that’s pretty big! But that’s what I use on this site). ‘Run” with those settings.

3. Now MAKE SURE you have your modified images selected, and select Tools > Batch Rename.

4. The first time you see this screen it’s not very intuitive. You can delete and add options as required, keep changing them until the preview shows what you want, and select ‘Rename’.

Related Articles, References, Credits, or External Links

Photoshop – Drawing Arrows

Photoshop – Drawing box’s